Skip to main content

Click Mice, Unclick Mice

Go Search
Windows Live ID Authentication

Click Mice, Unclick Mice > Posts > SharePoint Audience Targeting vs. Item Level Security


SharePoint Audience Targeting vs. Item Level Security
Recently I have had several people asking me about security trimming options in MOSS 2007.  For the most part they knew the basics about what was available, however it seems as though many people might not understand what the real difference is and why someone might use one versus the other.  I thought it might be helpful to point out a few tips around each of the available options.
Audience targeting
I find this a pretty misunderstood piece of functionality and I should probably start by saying it is only available in MOSS 2007 so if you are just using WSS v3 then you are out of luck for using this feature.  Many people equate audience targeting to a form of security trimming and it really isn't.  The best description I can come up with is that it is more a content filter that allows a page or site author to scope the viewable content based on the audiences visiting the site.  I.e. allowing design based on the users role when visiting the site as opposed to setting up multiple pages with multiple views.  You can setup a single page and filter out content based on the "audience" you set.  Probably the biggest thing I can restate here is this is not a security mechanism.  Using this to filter a list view web part just stops the list view web part from displaying on that particular page for people outside the audience.  Anyone with any knowledge of SharePoint can just go view the base list and see the data unless you make use of the Item level security as well.
Audience Tips
Since not everyone may be aware of the different options available with audiences I thought I might share some useful audience tips that can help when trying to scope content in a SharePoint Site.
  1. SharePoint Groups - SharePoint Groups are a valid Target Audience mechanism.  This is particularly useful in situations where the site administrators may not have access to Active Directory.  This give any site administrator access to set up and modify his audiences.  SharePoint Groups have the added benefit of allowing self-enrollment if the site administrator wants to setup a site that might have different levels of information and allow the users themselves to subscribe to what components they'd like.
  2. Domain Groups or Roles- If you are using Active Directory domain groups are a valid Target Audience and if you are using a Custom Authentication provider then don't worry you can use a Custom Role provider as an audience too.  The nice part here is that many organizations already have groups setup for internal use that are perfect for targeting specific areas of an organization.  The SharePoint site administrator has less control over the membership in the group, however this can be a plus to some in removing a level of complexity to troubleshooting problems. 
  3. Audience Rules - Now these are actually very powerful and potentially the least understood.  They can be setup to do a number of pretty nice things.  They can basically be setup with multiple rules (which I will talk about in a little bit) and then setup to require a match to all rules or any rule.  This allows a SharePoint Shared Services administrator to define and scope very flexible audiences that will update automatically as user information is changed and syncronized in to SharePoint.  As far as rules go these can be as simple as belonging to a distribution list, security group or being a part of a specific area of the organizational hierarchy (if you have this setup in Active Directory) and they can have additional complexity like matching a specific user profile property.  Group, list and organizational rules have operators of "Reports Under" and "Member Of".  User profile property rules have operators of "Contains" and "Not Contains".  So you could make a very simple rule to match all users that had the word Engineer in their Title property.  Or you could make something more complex that matched if the users had listed SharePoint under their Skills and Manager in their Title that were members of the New Employee Orientation Team distribution list.

Item Level Security

This set of functionality is understood much better in general, however there are still a few questions people have.  The most common question I come across is why does it have to be so difficult.  Not an easy question to answer.  Most people don't want to have to set permissions on each item and they see this as too difficult to manage.  Since there is no specific way to deny permission to an object specifically.  Instead you have to add users to the access list.  Well I have a few suggestions on how to manage these issues.

Item Level Security Tips

  1. Folders and Views - Now that SharePoint lists allow folders there are a couple of shortcuts that can be used to set permissions easily on items.  Creating a Folder to place items in allows you to set permissions on that folder and manage permissions in one place.  Now in order to avoid showing these folders you can create a View that is set to show all items without folders.  This would make the list appear normal to a user viewing the list and still automatically apply permissions to list items in these folders.  This method works best for semi-static lists or else it requires a little training to make sure that users know the appropriate folder to create new items in.
  2. SharePoint Groups - Using SharePoint groups allows for easier management of item level security by allowing you to create groupings of users that you can reuse in many areas that are specific to the site collection.  The other benefit here is it is possible to make SharePoint group membership private so that users that aren't a part of the group won't know who is.

There is probably more I could talk about between Item Level Security and Audience Targeting, however I might save that for another time.


Re: SharePoint Audience Targeting vs. Item Level Security

Thanks for your tips! In addition I want to suggest trying a new tool for solving SharePoint security issues - <a href="">security explorer for SharePoint</a>. Since I saw it at the last TechEd, it's been one of my favourite and most useful solutions. Great thing that it supports MOSS 07 and WSS3 aswell. With tree view of SharePoint site it can easily manage permissions, SharePoint groups, permission levels, perform backups and even selective restores. I've been using the beta version but if i'm not wrong it was officially released a couple of days ago.
Keith Bunge at 4/22/2008 11:50 PM

Good tip on Item Level Security and use of Folders

Good info!  Thanks a million.

Keith Bunge at 4/22/2008 11:50 PM

Audiences for custom authentication provider?

Hello Keith,

You wrote:
Domain Groups or Roles- If you are using Active Directory domain groups are a valid Target Audience and if you are using a Custom Authentication provider then don't worry you can use a Custom Role provider as an audience too.
I am wondering how to bind an audience to a role provider? We are using FBA which implements active directory membership and AzMan role provider. It works fine with permission level security. However binding FBA roles to audiences is still mystery to us. Can you point us in the right direction?

Thank you very much.

Keith Bunge at 4/22/2008 11:50 PM

Target Audience

Is it possible to Add "Group" &  individual "Users" into Audience Targeting ? How ?
Keith Bunge at 4/22/2008 11:50 PM